As many of you noticed, a couple of weeks ago we changed up the formatting on the site. This was done for security - A severe XSS vulnerability was found in our Markdown parser as well as a potential security issue in our Safe HTML parser, and we moved fast to disable them when it was discovered.
At the same time, we decided to go ahead and actually deprecate parsers that were considered deprecated internally for quite some time - Textile, Curse Wiki and Safe HTML.
In retrospect, this was shortsighted, and we should not have deprecated Safe HTML. Since we made the determination internally to deprecate it, it has seen a huge rise in popularity, primarily in the Bukkit Dev community, and we had not factored in this new usage. We moved fast on the security, and made a rash decision in the heat of the moment to deprecate it without re-evaluating usage. For that we apologize.
With that out of the way, I'm happy to announce that Safe HTML is back, and the same HTML subset is available if you use markdown.
The new and improved Safe HTML (and Markdown) supports the following tags:
a, abbr, b, big, blockquote, br, caption, code, dd,
del, dl, dt, em, h1, h2, h3, h4, h5, h6, hr, i,
img, li, ol, p, pre, s, small, strike, strong, sub,
sup, table, tbody, td, tfoot, th, thead, tr, ul
And attributes:
alt, colspan, href, rowspan, src, title
Note that both tags and attributes must be lowercase. Uppercase is no longer supported.
If you have any tags and attributes you'd like to see supported, let us know in the comments below, and we will consider adding them.
Have a good weekend.
How can you embed youtube using safe html?
Would like to see font color.
Would you consider supporting data URIs in the
src
attribute forimg
tags? Currently they just get turned into "broken image" placeholders.Is there any way to get IDs on headings now? It was really useful to be able to put a link at the top of the description that sent users to the "How to report a bug" section further down the page.
Headings used to get auto-generated IDs (eg. "How to report a bug" would get an ID of "c-how-to-report-a-bug" which could be linked to with href="#c-how-to-report-a-bug") but this does not seem to be happening anymore, either on WowAce.com or on Curse.com. Creole, Markdown, and Safe HTML all generate semantically recognizable headings (eg. h1-h6) so it shouldn't be too hard to re-implement.
Edit:
It would also be nice to have some way of floating images to the left or right. Most images aren't even close to the full width of the page, so they look kind of silly with a bunch of blank space next to them. I understand that "style" is out of the question, so I'm not sure how this could be implemented.
could you also add back alignment tags to markdown? e.g most useful one being
<center>
this was lost and I don't see any other way of centering. Right now, my previous
<center>
tag is centering the image by itself but is of course not optimal :PCould you possibly allow the style and/or iframe tags?
@Phanx: Go
Markdown is Markdown. However, the Safe HTML subset is also available when using Markdown.
I see definition lists (dl, dt, dd) are supported in Safe HTML, and the post mentions that the same HTML subset is available in Markdown. However, the official Markdown syntax doesn't support definition lists, and the CurseForge syntax info page just points to the official Markdown page for syntax info.
Are you guys actually using one of the Markdown extensions that supports definition lists? If so, what's the syntax?
I would like the ability to use safeHTML in wikicreole. :P
But the serious suggestion: attribute width (specifically in tables)
@tyzoid: Go
It again comes down to styling. While there are innocent cases, it enables too much control over the display of the page. We give you access to a lot of data and text formatting, but not style or layout.
@zachbora: Go
We don't support underlining because it is often confused with links and on top of that makes for very bad typography (it changes the shape of the word). Instead, you should use the em or strong tags for emphasis.
@tyzoid: Go
Style is not supported because it'd allow undesirable control over the layout. We may in the future support a subset of style parameters, but it is not planned for at this time.
Any possibility supporting the style attribute?
At any rate, thank you very much for the return of safe html.
Why is <u> not supported? Is it dangerous or is there an alternative?
Thank you! That was fast!
That made a return much faster that I hoped. Thank you sir.
Thanks for this update! I know a lot of BukkitDev users will be very glad to see the return of Safe HTML.